Security, Privacy, Policy, and Dependability Roundup

Lee

Pages: pp. 6-7

Security

Oregon Hay Products is suing the Oregon-based Community Bank for US$250,000, the amount stolen in a 2010 cybertheft. Typically, companies, unlike individuals, haven't been able to hold financial institutions responsible for cyber-attack losses. However, in light of the rising number of cyberthefts, businesses have increasingly gone to court to try to change this.

In the midst of tension and fear of war between North and South Korea, hackers have attacked two banks and three TV stations in South Korea, infecting 32,000 computers. The incidents corrupted computers' master boot records and deleted hard drive contents, causing service interruptions. South Korea increased its military's alert level in response. Researchers are unsure of the intrusions' origin but report that they appear to have used spearphishing and to have come from the same hacker. They also say the attacks were sufficiently complex to have required considerable planning and funding.

A distributed denial-of-service (DDoS) attack generating up to 300 Gbits per second in traffic hit the Spamhaus Project, a nonprofit antispam organization, in what some security experts say is the biggest DDoS attack in history. The assault began with a 10-Gbps attack that took Spamhaus's website offline and kept the organization from updating its blacklists. Spamhaus hired CloudFlare, which uses its own network to protect and accelerate websites, to lessen the attack's effects. After a few days, the assault renewed and strengthened. Experts say the hackers utilized a DNS amplification attack involving 30,000 unique DNS resolvers used to reflect the attack to the victim and magnify its effect.

Kaspersky Lab's Internet Security 2013 included a critical flaw that could cause computers on which it was loaded to crash. PCs loaded with the product would freeze if attacked via even a single specially designed, fragmented IPv6 packet with multiple extension headers. Kaspersky is making a fix available on demand immediately and is working on an automatic patch for all Windows machines with Internet Security 2013. The company emphasized that the flaw wouldn't let a hacker take over a PC or enable malicious activity.

Researchers have discovered a botnet that they say has generated $6 million monthly for its operators. Click fraud that uses botnets isn't new, but security experts say Chameleon is the most sophisticated scheme so far. The Chameleon botnet's operators set up 202 webpages, mostly in the US, and then convinced advertisers to place links on the page and pay for each click on their links. The botnet's 120,000 compromised machines then automatically clicked repeatedly on links, fraudulently generating revenue for the hackers. Security software had trouble identifying the malicious traffic because the botnet's malware used hundreds of thousands of different cookies.

Privacy

The US Department of Justice has supported a change in a 1986 federal law that lets prosecutors subpoena email that has been opened or that is more than six months old, without a court-issued warrant. The agency is asking the US Congress to change the law, which is part of the Electronic Communications Privacy Act. ECPA was passed before email became commercialized and well before it became popular. Justice Department officials, agreeing with numerous privacy advocates and technology companies such as Google, said that there's no good reason to treat old and new messages differently and that all access should require a search warrant.

The World Economic Forum (WEF) has released a report saying that privacy rules should focus on how organizations use data they collect rather than on limiting information gathering. In its Unlocking the Value of Personal Data: From Collection to Usage report, the WEF said there's no point trying to limit data collection because gathering information is just too easy; big data has made traditional privacy based on collector notification and user consent obsolete. The important issue is how data is utilized. According to the report, technology can strike a balance between protecting privacy and making good use of data.

Policy

The US National Institute of Standards and Technology (NIST) has begun working with critical infrastructure providers and other technology companies to begin developing the cybersecurity framework that US President Barack Obama recently ordered. The project is designed to respond to the increasing threat of cyberattack on US nuclear power plants, utility company facilities, gas lines, and other important infrastructure elements, which could cause service disruptions, property damage, injuries, and deaths. NIST says it plans to organize the project based on three considerations: managing risk, cyberhygiene, and tools and metrics.

According to a study by the Chief Information Officers Council and NIST's National Initiative for Cybersecurity Education, the US government's IT security workforce could face a shortage of qualified employees in the next few years. The survey of approximately 23,000 federal employees found that a key problem is that many veteran security professionals are nearing retirement, which could leave mostly younger workers without sufficient experience or skills. Lower budgets, pay freezes, and possible reductions in pensions could encourage federal IT workers to retire sooner rather than later, the study said.

A group of legal and technology experts appointed by the North Atlantic Treaty Organization (NATO) has developed The Tallinn Manual on the International Law Applicable to Cyber Warfare, a draft treatise on how international law should apply to cyberwarfare. The treatise could serve as a type of modern Geneva Conventions, which apply to conventional warfare. It states that a country could legally use lethal force on sponsors of a cyberattack under the same circumstances that would justify that response to a traditional attack.

According to a report by the Business Security Alliance (BSA), a software trade group, inconsistent laws and rules in different countries are holding back the growth of cloud computing. The alliance analyzed the cloud computing–related laws and regulations in 24 nations that represent 80 percent of the global information and communications technologies market, based on seven categories including data privacy and security. It found that individual countries are improving the legal infrastructure for cloud computing but aren't doing so in the same way or at the same rate. This makes it difficult for users to work with data across borders, which defeats cloud computing's purpose.

Dependability

A network-control software design flaw caused Google Drive, a popular cloud storage and applications suite, to experience three service delays in one week. The design flaw caused unanticipated latency when work shifted among servers because of load balancing. The latency led to problems with the software that manages user connections and sessions, causing the subsequent service delays. Google says it has repaired the network-control bug, will change its load-balancing policies, and will fix the user connection- and session-management problem.

Due to several errors, Cisco Systems' Type 4, a password-encryption algorithm released to strengthen a previous implementation in some of its router operating system versions, is actually weaker than its predecessor. Cisco developed the Type 4 algorithm to conform to the PBKDF2 (Password–Based Key Derivation Function, version 2) standard in an implementation in which 80 bits of random data are appended to the plaintext password, with the resulting string subject to 1,000 iterations via the SHA-256 hashing function. Because of an implementation -error, the Type 4 password algorithm doesn't utilize either PBKDF2 or a salt but instead performs a single SHA-256 iteration over the user-provided plaintext password.